Choosing the right IAM/PAM architecture is one of the most consequential decisions in an identity program. The architecture determines scalability, resilience, operational complexity, and the organisation’s ability to adapt to changing requirements.
Architecture Patterns Overview
Pattern
Best For
Complexity
Scalability
Security
Hub-and-Spoke
Centralised control, regulated industries
Medium
Good
Strong
Cloud-Hybrid
Cloud migration, multi-cloud
High
Excellent
Strong
Microservices/API-First
Cloud-native, SaaS providers
High
Excellent
Very Strong
Zero Trust
High-security, remote-first
High
Good
Strongest
Hub-and-Spoke Architecture
Structure
A central IAM/PAM platform (hub) connects to multiple target systems (spokes). The hub centralises policy management, identity provisioning, credential vaulting, and session management while enforcement occurs at the spoke level.
High security, remote workforce, zero trust mandate
Zero Trust
Post-merger, multiple identity domains
Cloud-Hybrid with IdP Bridging
Small organisation (< 500 users)
Cloud-Hybrid (SaaS IGA/PAM)
Key Takeaways
Four primary IAM/PAM architecture patterns exist: hub-and-spoke (centralised control), cloud-hybrid (bridging on-prem and cloud), microservices/API-first (cloud-native), and zero trust (no implicit trust)
Hub-and-spoke centralises policy management and audit in a single platform but creates a potential single point of failure — best for regulated industries with 50+ on-premises systems
Cloud-hybrid architecture uses directory synchronisation (SCIM, delta sync, batch) to bridge on-prem AD/LDAP with cloud IdP — ideal for hybrid infrastructure with significant SaaS adoption
Microservices/API-first architecture applies API-first, stateless, policy-as-code, and decentralised enforcement principles — designed for cloud-native environments at scale
Zero trust architecture applies five principles (verify explicitly, least privilege, assume breach, micro-segmentation, continuous validation) — every access request is fully authenticated, authorised, and risk-evaluated regardless of network location
The architecture decision framework considers number of systems, cloud adoption, security requirements, operational maturity, regulatory requirements, and existing investment to select the optimal pattern
Architecture maturity is not binary — most organisations evolve through stages: ad hoc → centralised → standardised → automated → adaptive, and the architecture pattern may change at each stage